Fix #8664: Add content blocker to upgrade passive mixed content

[kylehickinson]

Summary of Changes

This pull request fixes #8664

Submitter Checklist:

• [x] Unit Tests are updated to cover new or changed functionality
• [x] User-facing strings use NSLocalizableString()
• [x] New or updated UI has been tested across:
  • [x] Light & dark mode
  • [x] Different size classes (iPhone, landscape, iPad)
  • [x] Different dynamic type sizes

Test Plan:

Note: Due to a WebKit bug (https://bugs.webkit.org/show_bug.cgi?id=258711) the app will still display the "Not Secure" triangle even if all http content is promoted to https.

• Verify that http content was promoted to HTTPS via the web inspector in Settings.app > Safari > advanced and view via Safari on a mac. A console log should appear noting that it promoted the image to https and the Network tab should display a lock next to the upgraded content.
• Now that we hide the "Not Secure" title for mixed content:
  • Verify that very.badssl.com (or any mixed content site) shows only the triangle icon but that the icon is still tappable.
  • Verify that http.badssl.com/expired.badssl.com still display the appropriate "Not Secure" title

Reviewer Checklist:

• [ ] Issues include necessary QA labels:
  • QA/(Yes|No)
  • bug / enhancement
• [ ] Necessary security reviews have taken place.
• [ ] Adequate unit test coverage exists to prevent regressions.
• [ ] Adequate test plan exists for QA to validate (if applicable).
• [ ] Issue and pull request is assigned to a milestone (should happen at merge time).

[iccub]

Let's sec review it

[stoletheminerals]

I get .mixedContent warning here as well https://stoletheminerals.github.io/mixedcontent.html. Do we check for mixed content before auto-upgrading?

[stoletheminerals]

Same on Booking. I can see that links were upgraded to HTTPS, but the warning is still there.

[kylehickinson]

@stoletheminerals Seems like there may a race condition somewhere in the logic that updates the UI, when I attach the debugger and run through the results I actually see even very.badssl.com no longer shows as not secure (along with your test site).

[kylehickinson]

Seems like there is a bug in WebKit here, where hasOnlySecureContent does not update to true when http content is promoted to https via content blocker. Open WebKit bug report: https://bugs.webkit.org/show_bug.cgi?id=258711